Operator Under the EU AI Act: Definition, Roles, and Obligations
EU AI Act Article 3, point 8: operator covers providers, deployers, importers, distributors, authorised representatives, and product manufacturers.
"Operator" is the EU AI Act's umbrella term for every actor in the AI value chain. If a duty in Regulation (EU) 2024/1689 falls on "operators," it falls on you — regardless of whether you built the system, imported it, distributed it, or simply switched it on.
The EU AI Act definition
Article 3, point 8 of Regulation (EU) 2024/1689 defines "operator" as:
"provider, product manufacturer, deployer, authorised representative, importer or distributor"
Six roles. One term that collects them all. The Regulation uses "operator" when it wants to reach any member of the supply chain without enumerating every role each time. Wherever you encounter a duty, a right, or a restriction addressed to "operators," read it as applying across all six positions.
The six underlying roles each carry their own article: providers (Article 16), deployers (Article 26), authorised representatives (Article 22), importers (Article 23), distributors (Article 24), and product manufacturers — whose safety-component obligations layer on top of existing EU product legislation (such as the Machinery Regulation (EU) 2023/1230 or the Medical Device Regulation 2017/745) and who become providers or deployers for AI Act purposes depending on what they do with the system.
Why the umbrella term matters
Most of the Act's substantive chapters address specific roles directly. Article 9 (risk management system), Article 11 (technical documentation), Article 14 (human oversight), Article 16 (provider obligations), Article 26 (deployer obligations) — these impose duties on named actors. When the Regulation wants to catch everyone at once, it uses "operator."
In practice, the umbrella shows up most visibly in provisions about access to information, cooperation with authorities, and record-keeping. A national market-surveillance authority exercising its powers under Articles 74 and following can direct obligations and requests at "operators" broadly — it does not need to pre-identify exactly which role you occupy before requiring your cooperation.
Understanding that you are an operator is therefore the first gate, not the last. Once you clear it, the substantive question becomes: which of the six specific roles do you occupy? That is what determines your concrete compliance stack.
The six operator roles at a glance
Provider — A company or individual that develops a high-risk AI system and places it on the market or puts it into service under its own name or trademark. Providers carry the heaviest obligations: a quality management system (Article 17), a risk management system (Article 9), technical documentation to Annex IV specifications (Article 11), logging and record-keeping (Article 12), transparency toward deployers (Article 13), human-oversight design (Article 14), and a conformity assessment under Article 43 before market entry. Registration in the EU database (Article 49) and serious-incident reporting (Article 73) also sit with the provider. See the full breakdown at /glossary/provider.
Deployer — An organisation or individual that uses a high-risk AI system in a professional context under its own authority, without having developed or placed it on the market. Think of the regional lender running a third-party credit-scoring model, or the public authority using a recruitment-screening tool procured from a vendor. Deployers must follow the provider's instructions of use, maintain human oversight (Article 14 as designed in by the provider), keep logs for at least six months (Article 26), notify worker representatives before deploying systems that affect employees, and — for certain deployers in the public sector or handling creditworthiness or life/health insurance decisions — conduct a Fundamental Rights Impact Assessment under Article 27. See /glossary/deployer for the full obligations picture.
Authorised representative — A natural or legal person established in the EU and designated in writing by a provider established outside the EU. The authorised representative acts as the EU contact point for market-surveillance authorities, holds a copy of the technical documentation and EU declaration of conformity, and can be held liable for non-compliance in the same way as the provider. Article 22 governs this role. See /glossary/authorised-representative.
Importer — A company established in the EU that places a high-risk AI system from a third-country provider on the EU market. Importers must verify that the provider has completed the relevant conformity assessment (Article 43), that documentation is in order, and that the system bears the CE marking (Article 48). If an importer has reason to believe a system is non-compliant, it must not place it on the market. Article 23 sets out the verification duties. See /glossary/importer.
Distributor — Any actor in the supply chain, other than the provider or importer, that makes a high-risk AI system available on the EU market without placing it on the market itself. Distributors carry a lighter but real obligation: verify that the CE marking and documentation are present, and do not supply a system they have grounds to believe is non-compliant. Article 24 applies. See /glossary/distributor.
Product manufacturer — Where a high-risk AI system is a safety component of a product governed by EU harmonisation legislation listed in Annex I (machinery, medical devices, automotive, civil aviation, etc.), the manufacturer of that product takes on the role of provider for the AI component if it places the combined product on the market under its own name. The conformity-assessment route for these systems runs under Article 6(1) and the integrated Annex I procedure, with a deadline of 2 August 2028 under the Digital Omnibus agreed in May 2026.
You can hold more than one operator role
The Act explicitly contemplates multi-role occupancy. Article 25 is the key provision: it sets out the circumstances in which a deployer, distributor, or importer steps up into the provider's shoes and inherits the full provider obligation stack.
This happens in three situations. First, if you place a high-risk AI system on the market under your own name or trademark. Second, if you make a substantial modification to a high-risk system — meaning a modification that changes the system's intended purpose or its fundamental design such that it would need a new conformity assessment (Article 3, point 23 defines substantial modification). Third, if you modify the intended purpose of a high-risk system beyond what the original provider's conformity assessment covered.
Outside the Article 25 role-shift scenarios, you can simultaneously be an importer and a deployer, or an authorised representative and a distributor, without any transformation in obligations — you simply carry the duties of each role you occupy in parallel.
A concrete example: a German software company buys a US-developed AI screening tool for its own HR department (making it a deployer) and resells it to other German companies (making it a distributor). It holds both roles at once and must meet the requirements of Article 26 for its internal use and Article 24 for the resale.
Identifying every role you occupy at the outset — for each AI system in your inventory — is what a compliance assessment must resolve before any other question.
How Confir determines your operator role
Confir's classification workflow asks plain-English scenario questions about each AI system in your inventory: did you develop it? Do you place it on the market under your name? Do you use it under your own authority without having built it? Did you bring it into the EU from a third-country supplier?
The rule-based, deterministic engine maps your answers to the role definitions in Article 3 and the responsibility provisions in Article 25. The output is a derived role — or combination of roles — for each system, with the associated compliance obligations listed by article number. No AI inference is involved; the same intake always produces the same finding. Starting from €600 per year at confir.eu.
Frequently Asked Questions
Q: Does "operator" have any independent obligations, or does it only describe a category?
The term "operator" primarily functions as a collective. Most substantive obligations in Regulation (EU) 2024/1689 attach to the specific roles — provider, deployer, importer, and so on. The umbrella term surfaces in cross-cutting provisions (market-surveillance access, cooperation duties, information rights) where the Regulation addresses all value-chain actors at once. Your concrete compliance stack flows from whichever of the six underlying roles you hold.
Q: We use several third-party AI tools internally but have not built any ourselves. Are we operators?
Yes. Using a high-risk AI system in a professional capacity under your own authority makes you a deployer under Article 3, point 8 — which falls within the operator definition. Your obligations are set out in Article 26. Many companies that have never developed an AI system are nonetheless operators because they run third-party tools for recruitment, credit decisions, or other purposes that fall in Annex III.
Q: Can a company be both a provider and a deployer at the same time?
Yes, for different systems. A company might develop and market a high-risk AI system (provider under Article 16) and also run a third-party AI tool internally for a different purpose (deployer under Article 26). Each system is assessed separately. The roles do not conflict — they simply apply to different items in the AI inventory.
Q: What happens if we rebrand a third-party AI system under our own name?
You become the provider. Article 25 is explicit: placing a high-risk AI system on the market or into service under your own name or trademark shifts the full provider obligation stack onto you, regardless of who originally developed the system. You inherit Article 16, Article 17, Article 9, Article 11, Article 43, and the rest — even if you made no changes to the underlying model.
Q: The Act talks about "product manufacturers" — does that apply to software companies?
Only if your software is a safety component of a product listed in Annex I (the EU harmonisation legislation list: machinery, medical devices, lift equipment, civil aviation, automotive, and others). Pure software products that are not safety components of Annex I-regulated goods follow the Annex III classification route. If you develop standalone SaaS and it falls in Annex III, your role is provider — Article 6(1) and the Annex I integrated route do not apply.
Q: When does a distributor's obligation become a provider's obligation?
Under Article 25, a distributor becomes a provider if it places the system on the market under its own name, makes a substantial modification (Article 3, point 23), or changes the intended purpose beyond the scope of the existing conformity assessment. Short of those three triggers, the distributor's obligations remain the lighter verification duties of Article 24 — checking that CE marking and documentation are in place and not supplying a system it has grounds to believe is non-compliant.
Related terms
- Provider — Article 16 obligations
- Deployer — Article 26 obligations
- Importer — Article 23 obligations
- Distributor — Article 24 obligations
- Authorised representative — Article 22
- Provider vs deployer: how to determine your role
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →